Introduction
Thentia Cloud uses Privilege Groups and Privileges to manage data access. A Privilege Group is a collection of users with the same access needs. Privileges define read, write, and delete permissions for a specific entity.
Creating and Managing Privilege Groups
Privilege Groups let you apply data access permissions to multiple Workbench users based on shared roles or functions. This streamlines access management and ensures users only have access to the data they need.
What You'll Learn
- How to create and configure a Privilege Group
- How to organize Privilege Groups into a hierarchy
- How to manage group membership
Create a Privilege Group
To create a Privilege Group:
- Go to the Security module > Privilege Groups.
- Click Create a new record.
- Enter a name and (optionally) an External Group ID or Parent Group for hierarchy.
- Save the record. The group can now be used when assigning Privileges.
Set Up a Privilege Group Hierarchy
Privilege Groups are flat by default. To nest groups:
- Open a group’s record.
- Under the Parent Group, select the group above it.
- Save. Hierarchies support scenarios where managers need access to subordinate group data.
Note: Higher-level groups do not inherit Privileges from lower ones.
Manage Group Members (System Users)
To add or remove users:
- Open a group’s record > Connections > Users.
- Click Create a new connected record to add a user.
- To remove a user, select their row and click Delete selected record.
Note: Users can belong to multiple groups. Removing a user from a group may increase their access unless other Privileges restrict it.
Creating and configuring Privileges
What You'll Learn
- How to create and configure Privileges
- How to set record-level restrictions
- How conflicts between Privileges are resolved
Create a Privilege
- Open the Security module.
- From the navigation menu at the top left, go to RBAC > Privileges.
- Click the “plus button” to Create a new record.
- Under Privilege Details, configure:
- Group: Select the Privilege Group.
- Entity: Select the entity to apply the permissions.
- Under Access Settings, set Read, Write, and Delete permissions.
- Save the record. The Privilege is now active for users in the group.
Note: Admin users are not affected by Privileges and retain full access.
Access Settings Overview
Entity-Level Permissions:
- Grant full access to all records in the entity.
Record-Level Permissions (requires optional setup):
- Set conditions that records must meet for access to apply.
- Configure different conditions for Read, Write, and Delete permissions.
Access permissions can be scoped to:
- Entity level: Applies to all records in the entity.
- Record level: Applies only to records meeting specific criteria.
Enable Record-Level Access (Optional)
To control access at the record level:
- Go to System Settings > Configuration.
- Click Create a new connected record.
- Set Key: record.level.permission and Value: true.
- Save the record. Access Level settings will now appear in Privilege configuration
Access levels include:
- All Records – Full access to all records.
- Criteria-Based – Access based on specific field values.
- Group Owner and Subordinates – Access if the record's group matches or is below the user's group.
- Group Owner – Access only if the record belongs to the user's group.
- Owner – Access only to records owned by the user.
To use Group Owner-based options, configure your entity with a Group Owner attribute and ensure it’s populated.
Privilege Conflicts
If a user receives conflicting Privileges:
- The system applies the most restrictive permission.
- For record-level access, the narrower scope takes precedence.
- If multiple conditions apply, they’re combined using OR logic.
Example: If one Privilege allows access to records with status "Approved" and another allows access to "Rejected," the user can access both.
By setting up Privileges and Privilege Groups, you can ensure users only access the data they need to perform their work efficiently and securely.
Comments
0 commentsPlease sign in to leave a comment.